A place for talking about the Ethereum Virtual Machine on Farcaster.

I wrote a short post on account abstraction wallet security for @code4rena. It was great to take a deeper look at the spec. Wallets are  critical and it’s important to get them right, but I’m excited for 4337.

Comprehensive web3 security, on demand. $20M+ in rewards paid. 1200+ high severity vulns found. code4rena.com

I wrote a short post on account abstraction wallet security for @code4rena. It was great to take a deeper look at the spec. Wallets are  critical and it’s important to get them right, but I’m excited for 4337.

https://medium.com/code4rena/smart-account-security-69b544c0da86

I'm eth newbie..just learning
(working on @farcaster)

terminally.online

Can you help me understand how this changes the custody requirements for end-users?

Today, I am responsible for managing my private keys. If I use a 3rd party service to generate an AA wallet, where does the burden of custody shift?

Building /bright-moments - minting onchain art IRL | /purple #15 | FID 129 #magikarp

Really good question. Curious to hear others chime in. 

It depends a lot on the specific wallet implementation. EOA wallets are just a secret number, but AA wallets are software. So as a user you'll need to know what features that software supports and whether it's any good.

Burden of custody will be a spectrum, but there will still be offchain keys you have to manage somehow. The simplest possible AA wallet is something like a 1/1 multisig: a wallet contract with a single owner that's still an EOA account. You can rotate the owner key, but you're still stuck if you lose it.

So far you're still using an EOA: that is, an ECDSA key. Further out on the spectrum are software wallets that let you sign using other keys, like the curves in the Apple Secure Enclave. Now you're still on the hook for custody of your phone, but the key is hidden and stored in hardened special purpose hardware.

Ultimately self custody will always mean keeping some secret safe, but we can do better than using a private key/seed phrase: you can use your face or your fingerprint to protect the secret, store it more securely, and it won't have to be an ECDSA key.

AA Utopia: Open source software wallets that are simple, modular, and secure, based on shared standards.

AA Dystopia: Every app deploys a new wallet for you, so now you have 30 different wallets on every chain with different versions, features, security properties, and interfaces, all still managed by your old EOA.

Next on the spectrum is an EOA-owned wallet with a guardian or social recovery system (like your Farcaster recovery address). Now you still need to keep your key safe, but you can recover it if you lose it, maybe guardian accounts can pause the wallet if it gets stolen.